def configure_axon(reload=True):
uuid = synapse.get(AGENT_UUID_PATH)
agent_id = synapse.get(AGENT_ID_PATH)
account_id = synapse.get(ACCOUNT_ID_PATH)
if not uuid:
uuid = str(uuid4())
synapse.set(AGENT_UUID_PATH, uuid)
axon_template = Template(filename="/elan-agent/elan-center/axon.nginx")
with open("/etc/nginx/sites-enabled/axon", "w") as axon_file:
axon_file.write(
axon_template.render(
uuid=uuid,
cc_ipv4=CC_IPv4,
cc_ipv6=CC_IPv6,
))
# Reload Nginx
if reload:
utils.reload_service('nginx')
mosquitto_template = Template(
filename="/elan-agent/elan-center/axon.mosquitto")
with open("/etc/mosquitto/conf.d/axon.conf", "w") as mosquitto_file:
mosquitto_file.write(
mosquitto_template.render(uuid=uuid,
agent_id=agent_id,
account_id=account_id))
# Reload Nginx
if reload:
utils.restart_service('mosquitto')
def join(cls, realm, user, password):
cls._run([
'net', 'conf', 'setparm', 'global', 'dedicated keytab file',
'/etc/krb5.keytab'
])
cls._run([
'net', 'conf', 'setparm', 'global', 'kerberos method',
'dedicated keytab'
])
cls._run([
'net', 'ads', 'join', '-U',
'{user}%{password}'.format(user=user, password=password), realm
])
restart_service('winbind')
cls._run(['net', '-P', 'ads', 'keytab', 'create'])
cls._run(['chown', 'freerad', '/etc/krb5.keytab'])
cls._run(['usermod', '-a', '-G', 'winbindd_priv', 'freerad'])
cls._run(
['chgrp', 'winbindd_priv', '/var/lib/samba/winbindd_privileged'])
f = open('/etc/freeradius/3.0/.k5identity', 'w')
f.write('{hostname}$@{realm}'.format(hostname=socket.gethostname(),
realm=realm).upper())
f.close()
process_result = cls._run(['net', '-P', 'ads', 'info'])
info = {}
for line in process_result.stdout.split('\n'):
try:
key, value = line.split(': ', 2)
except ValueError:
pass
else:
if key == 'LDAP server':
info['ldap_server_ip'] = value
if key == 'LDAP server name':
info['ldap_server_name'] = value
elif key == 'LDAP port':
info['ldap_port'] = value
elif key == 'Bind Path':
info['ldap_base_dn'] = value
elif key == 'Realm':
info['realm'] = value
cls.synapse.set(cls.REDIS_INFO_PATH, info)
def agent_conf_updated(self, conf):
conf_changed = False
for key in self.KEYS:
if self.conf.get(key, {}) != conf[key]:
self.conf[key] = conf[key]
conf_changed = True
# save credentials for other program use...
if key == 'credentials':
self.synapse.set(SNMP_DEFAULT_CREDENTIALS_PATH, conf[key])
if conf_changed:
# Grab template
snmp_template = Template(filename="/elan-agent/nac/snmp/snmptrapd.conf")
with open ("/etc/snmp/snmptrapd.conf", "w") as server_file:
server_file.write(snmp_template.render(**self.conf))
restart_service('elan-snmp-notification-receiver')
def agent_conf_updated(self, conf):
conf_changed = False
for key in self.KEYS:
if self.conf.get(key, "") != conf[key]:
self.conf[key] = conf[key]
conf_changed = True
if conf_changed:
# Grab template
server_template = Template(filename="/elan-agent/nac/freeradius/server")
with open ("/etc/freeradius/3.0/sites-enabled/nac", "w") as server_file:
server_file.write(server_template.render(**self.conf))
with open ("/etc/freeradius/3.0/certs/nac.pem", "w") as cert_file:
# reverse certchain so that freeradius/openssl finds the cert matching the private key in first position...
cert_list = [ cert + '-----END CERTIFICATE-----\n' for cert in self.conf['cert_chain'].split('-----END CERTIFICATE-----') if '-----BEGIN CERTIFICATE-----' in cert ]
cert_file.write(''.join(reversed(cert_list)))
cert_file.write(self.conf['cert_key'])
# Reload freeradius
restart_service('freeradius')
def apply_conf(self):
module_conf = '''
rest external-auth {
connect_uri = "http://127.0.0.1:8080/authentication/"
authorize {
uri = "${..connect_uri}authorize?provider=%{%{session-state:ELAN-Auth-Provider}:-%{ELAN-Auth-Provider}}&source=%{ELAN-Auth-Type}"
method = 'post'
body = 'json'
}
authenticate {
uri = "${..connect_uri}authenticate?provider=%{%{session-state:ELAN-Auth-Provider}:-%{ELAN-Auth-Provider}}&source=%{ELAN-Auth-Type}"
method = 'post'
body = 'json'
}
pool {
start = 0
min = ${thread[pool].min_spare_servers}
max = ${thread[pool].max_servers}
spare = ${thread[pool].max_spare_servers}
uses = 0
retry_delay = 30
lifetime = 0
idle_timeout = 0
}
}
exec ADpap {
wait = yes
program = "/usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain} --username=%{mschap:User-Name} --password=%{User-Password}"
}
mschap ADmschap {
winbind_username = "******"
winbind_domain = "%{mschap:NT-Domain}"
pool {
start = 0
min = ${thread[pool].min_spare_servers}
max = ${thread[pool].max_servers}
spare = ${thread[pool].max_spare_servers}
uses = 0
retry_delay = 5
lifetime = 86400
cleanup_interval = 300
idle_timeout = 600
}
passchange {
}
allow_retry = yes
retry_msg = "Enter a valid password"
}
rest auth_provider_failed {
connect_uri = "http://127.0.0.1:8080/authentication/provider/failed"
authorize {
uri = "${..connect_uri}"
method = 'post'
body = 'json'
}
authenticate {
uri = "${..connect_uri}"
method = 'post'
body = 'json'
}
pool {
start = 0
min = ${thread[pool].min_spare_servers}
max = ${thread[pool].max_servers}
spare = ${thread[pool].max_spare_servers}
uses = 0
retry_delay = 30
lifetime = 0
idle_timeout = 0
}
}
rest auth_provider_failed_in_group {
connect_uri = "http://127.0.0.1:8080/authentication/provider/failed-in-group"
authorize {
uri = "${..connect_uri}"
method = 'post'
body = 'json'
}
authenticate {
uri = "${..connect_uri}"
method = 'post'
body = 'json'
}
pool {
start = 0
min = ${thread[pool].min_spare_servers}
max = ${thread[pool].max_servers}
spare = ${thread[pool].max_spare_servers}
uses = 0
retry_delay = 30
lifetime = 0
idle_timeout = 0
}
}
rest auth_all_providers_failed_in_group {
connect_uri = "http://127.0.0.1:8080/authentication/group/all-failed"
authorize {
uri = "${..connect_uri}"
method = 'post'
body = 'json'
}
authenticate {
uri = "${..connect_uri}"
method = 'post'
body = 'json'
}
pool {
start = 0
min = ${thread[pool].min_spare_servers}
max = ${thread[pool].max_servers}
spare = ${thread[pool].max_spare_servers}
uses = 0
retry_delay = 30
lifetime = 0
idle_timeout = 0
}
}
'''
inner_switch_server_conf = ""
# Generate the files if we have all the information...
new_provided_services = set()
has_active_directory = False
for auth in self.authentications.values():
auth_type = auth.get('type', 'external')
if auth_type == 'LDAP':
module_conf += "\n" + self.ldap_template.render(**auth)
inner_switch_server_conf += '''
case {id} {{
'''.format(id=auth['id'])
inner_switch_server_conf += self.ldap_auth_template.render(
**auth)
inner_switch_server_conf += '''
if(fail) {
update request {
ELAN-Auth-Failed := &session-state:ELAN-Auth-Provider
}
auth_provider_failed
update request {
Module-Failure-Message !* ANY
}
}
}
'''
# also notify that we provide this auth
new_provided_services.add(
'authentication/provider/{id}/authenticate'.format(
id=auth['id']))
new_provided_services.add(
'authentication/provider/{id}/authorize'.format(
id=auth['id']))
elif auth_type == 'active-directory':
# Join domain if not already done
if not AD.joined(auth['domain']):
if AD.joined():
AD.leave()
# try to join
try:
AD.join(realm=auth['domain'],
user=auth['adminLogin'],
password=auth['adminPwd'])
except AD.Error as e:
status = {'status': 'error', 'error': e.message}
else:
status = {'status': 'joined'}
self.dendrite.publish_conf(
'authentication/provider/{id}/status'.format(
id=auth['id']), status)
if AD.joined(auth['domain']):
has_active_directory = True
inner_switch_server_conf += '''
case {id} {{
'''.format(id=auth['id'])
inner_switch_server_conf += self.ad_auth_template.render(
**auth)
inner_switch_server_conf += '''
if(fail) {
update request {
ELAN-Auth-Failed := &session-state:ELAN-Auth-Provider
}
auth_provider_failed
update request {
Module-Failure-Message !* ANY
}
}
}
'''
module_conf += "\n" + self.ad_template.render(**AD.info())
# also notify that we provide this auth
new_provided_services.add(
'authentication/provider/{id}/authenticate'.format(
id=auth['id']))
new_provided_services.add(
'authentication/provider/{id}/authorize'.format(
id=auth['id']))
else:
auth[
'join_failed'] = True # so that if we receive again same conf, we try to join again (new condf!= old)
elif auth_type == 'group':
# Take care of groups, that can be nested:
inner_switch_server_conf += '''
case {id} {{
group {{
{inner_case}
if( ! &ELAN-Non-Failed-Auth) {{
auth_all_providers_failed_in_group
}}
}}
}}
'''.format(id=auth['id'],
inner_case=self.get_group_inner_case(auth['id']))
# Quit AD domain if required
if not has_active_directory and AD.joined():
AD.leave()
with open("/etc/freeradius/3.0/mods-enabled/authentications",
"w") as module_file:
module_file.write(module_conf)
with open("/etc/freeradius/3.0/policy.d/authentications",
"w") as policy_file:
policy_file.write(
self.policy_template.render(
inner_switch=inner_switch_server_conf))
# CAs
for provider in self.authentications.values():
if provider.get('server_ca', None):
with open(
"/etc/freeradius/3.0/certs/server_CA/auth-{id}.pem".
format(id=provider['id']), "w") as server_ca_file:
server_ca_file.write(provider['server_ca'])
# unprovide
for service_path in self.provided_services - new_provided_services:
self.dendrite.unprovide(service_path)
# Reload freeradius
restart_service('freeradius')
# new provides
for service_path in new_provided_services:
self.dendrite.provide(service_path, cb=self.on_call)
self.provided_services = new_provided_services